mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 15:36:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

access controls: promisification

Browse source 
`getPadAccess()` (src/node/padaccess.js) is now "promise only", resolving to
`true` or `false` as appropriate, and throwing an exception if there's an
error.

The two call sites (padreadonly.js and importexport.js) updated to match.
This commit is contained in:
Ray Bellis 2019-01-23 16:29:36 +00:00
parent 34fdaa4e8c
commit d5d28717c4
3 changed files with 39 additions and 70 deletions
Download patch file Download diff file Expand all files Collapse all files

37
src/node/hooks/express/importexport.js
View file

@ -5,12 +5,11 @@ var importHandler = require('../../handler/ImportHandler');
var padManager = require("../../db/PadManager"); var padManager = require("../../db/PadManager");
exports.expressCreateServer = function (hook_name, args, cb) { exports.expressCreateServer = function (hook_name, args, cb) {
args.app.get('/p/:pad/:rev?/export/:type', function(req, res, next) { args.app.get('/p/:pad/:rev?/export/:type', async function(req, res, next) {
var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"]; var types = ["pdf", "doc", "txt", "html", "odt", "etherpad"];
//send a 404 if we don't support this filetype //send a 404 if we don't support this filetype
if (types.indexOf(req.params.type) == -1) { if (types.indexOf(req.params.type) == -1) {
next(); return next();
return;
} }
// if abiword is disabled, and this is a format we only support with abiword, output a message // if abiword is disabled, and this is a format we only support with abiword, output a message
@ -22,28 +21,26 @@ exports.expressCreateServer = function (hook_name, args, cb) {
res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Origin", "*");
hasPadAccess(req, res, function() { if (await hasPadAccess(req, res)) {
console.log('req.params.pad', req.params.pad); console.log('req.params.pad', req.params.pad);
padManager.doesPadExists(req.params.pad, function(err, exists) { let exists = await padManager.doesPadExists(req.params.pad);
if (!exists) { if (!exists) {
return next(); return next();
} }
exportHandler.doExport(req, res, req.params.pad, req.params.type); exportHandler.doExport(req, res, req.params.pad, req.params.type);
}); }
});
}); });
// handle import requests // handle import requests
args.app.post('/p/:pad/import', function(req, res, next) { args.app.post('/p/:pad/import', async function(req, res, next) {
hasPadAccess(req, res, function() { if (await hasPadAccess(req, res)) {
padManager.doesPadExists(req.params.pad, function(err, exists) { let exists = await padManager.doesPadExists(req.params.pad);
if (!exists) { if (!exists) {
return next(); return next();
} }
importHandler.doImport(req, res, req.params.pad); importHandler.doImport(req, res, req.params.pad);
}); }
});
}); });
} }

57
src/node/hooks/express/padreadonly.js
View file

@ -1,57 +1,26 @@
var async = require('async');
var ERR = require("async-stacktrace");
var readOnlyManager = require("../../db/ReadOnlyManager"); var readOnlyManager = require("../../db/ReadOnlyManager");
var hasPadAccess = require("../../padaccess"); var hasPadAccess = require("../../padaccess");
var exporthtml = require("../../utils/ExportHtml"); var exporthtml = require("../../utils/ExportHtml");
exports.expressCreateServer = function (hook_name, args, cb) { exports.expressCreateServer = function (hook_name, args, cb) {
// serve read only pad // serve read only pad
args.app.get('/ro/:id', function(req, res) { args.app.get('/ro/:id', async function(req, res) {
var html;
var padId;
async.series([ // translate the read only pad to a padId
// translate the read only pad to a padId let padId = await readOnlyManager.getPadId(req.params.id);
function(callback) { if (padId == null) {
readOnlyManager.getPadId(req.params.id, function(err, _padId) { res.status(404).send('404 - Not Found');
if(ERR(err, callback)) return; return;
}
padId = _padId; // we need that to tell hasPadAcess about the pad
req.params.pad = padId;
// we need that to tell hasPadAcess about the pad if (await hasPadAccess(req, res)) {
req.params.pad = padId;
callback();
});
},
// render the html document // render the html document
function(callback) { html = await exporthtml.getPadHTMLDocument(padId, null);
// return if the there is no padId res.send(html);
if(padId == null) { }
callback("notfound");
return;
}
hasPadAccess(req, res, function() {
// render the html document
exporthtml.getPadHTMLDocument(padId, null, function(err, _html) {
if(ERR(err, callback)) return;
html = _html;
callback();
});
});
}
],
function(err) {
// throw any unexpected error
if(err && err != "notfound")
ERR(err);
if(err == "notfound")
res.status(404).send('404 - Not Found');
else
res.send(html);
});
}); });
} }

15
src/node/padaccess.js
View file

@ -1,17 +1,20 @@
var ERR = require("async-stacktrace");
var securityManager = require('./db/SecurityManager'); var securityManager = require('./db/SecurityManager');
// checks for padAccess // checks for padAccess
module.exports = function (req, res, callback) { module.exports = async function (req, res) {
securityManager.checkAccess(req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password, function(err, accessObj) { try {
if (ERR(err, callback)) return; let accessObj = await securityManager.checkAccess(req.params.pad, req.cookies.sessionID, req.cookies.token, req.cookies.password);
if (accessObj.accessStatus === "grant") { if (accessObj.accessStatus === "grant") {
// there is access, continue // there is access, continue
callback(); return true;
} else { } else {
// no access // no access
res.status(403).send("403 - Can't touch this"); res.status(403).send("403 - Can't touch this");
return false;
} }
}); } catch (err) {
// @TODO - send internal server error here?
throw err;
}
} }